Snapchat becomes target of widespread cyberattack

Andrea Chang and Salvador Rodriguez

Days after being warned of a security weakness in its popular app, Snapchat became the target of a widespread cyberattack that affected millions of users, a black eye for a local start-up with sky-high hopes of becoming the next social media juggernaut.

A reported 4.6 million user names and phone numbers were exposed by the New Year's Eve breach. The hackers, who did not want to be identified, told The Times they went after Snapchat to expose the company's security flaws.

Such attacks have become all too common for companies, but for Snapchat, a photo-messaging app based on secrecy, they are especially damaging.

"The problem for Snapchat is kids seek it out because they think it's more secure," said Rob Enderle, principal analyst at technology advisory firm Enderle Group. "This goes against the brand. It makes them seem less secure when their advantage is supposed to be more security."

The hackers published the information on Snapchatdb.info, censoring the last two digits of users' phone numbers to minimize spam and abuse. But they hinted that they would be willing to release the full numbers "under certain circumstances."

The Venice company said in a blog post Thursday that "no other information, including snaps, was leaked or accessed in these attacks." Snapchat also said it would be releasing an updated version of the app and was implementing other restrictions "to address future attempts to abuse our service."

User names and phone numbers are not considered sensitive information, so security experts and tech analysts say the Snapchat hack isn't extremely serious.

The bigger problem, they said, is that Snapchat is now seen as vulnerable and thus a target for more severe breaches. A reputation of security problems could cause users to vacate the service, which would be devastating for the company.

The start-up has become a runaway hit with users, who use the app to send images to friends that disappear after a few seconds. Snapchat has become so popular — more than 400 million snaps are sent a day — that Facebook Inc. reportedly offered $3 billion to buy the company.

Snapchat executives turned down the offer, a sign that they thought the company was worth more.

"This kind of problem can scare away users," Enderle said. "Then the valuation plummets and the amount that someone is willing to pay also goes down. So they may find that their next big buyer is not there."

It was yet another high-profile cybersecurity compromise during the holiday season. A few weeks ago, Target Corp. disclosed a massive breach of financial data of 40 million customers, one of the nation's biggest retail cybercrimes on record.

Although the Snapchat hack was significantly less serious than Target's, which exposed credit and debit card information, affected Snapchat users — many of them teenagers — were alarmed that one of their favorite apps had put their personal information at risk.

After finding out about the hack, 15-year-old Brock Renshaw looked on a website that helps users check whether they were affected and discovered that his user name and phone number were exposed.

"I was a little scared," Brock said. "I don't want my phone number to be out there for anyone to take."

The Herrin, Ill., high school sophomore said he uses Snapchat every day to socialize with his friends and said he wished that the company would provide guidance on what affected users should do.

"I don't know if I should delete my Snapchat, make a new one or get a new phone number. I don't know," Brock said.

In an email to The Times, the hackers declined to identify themselves but said that more than one person was involved and that they were from North America and Europe.

"Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed," they said. "It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does."

The hackers said the database contained user names and partial phone numbers "of a vast majority of the Snapchat users" and said that the group had received numerous requests from around the world for the complete database. Security researchers, professors, private investigators and attorneys have been among those seeking the data, the hackers said.

"We review their requests and send them the information they wanted if we decide their request is justified," the group said.

Snapchat was warned by a group called Gibson Security on Christmas Eve that its app contained a security flaw that could expose its users in the exact way that the hackers managed to do.

On Dec. 27, Snapchat acknowledged the vulnerability in a blog post but downplayed the seriousness of the security hole.

"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match user names to phone numbers that way," Snapchat said in its post.

"Over the past year we've implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse."

But clearly those measures weren't enough, said Lucas Zaichkowsky, a security expert for cyber incident response company AccessData.

He said Snapchat and its users were lucky that no passwords were published, but the attack does make Snapchat an attractive target for criminal hackers.

The hack also stresses the need for users to have different passwords for the various Internet accounts they use. Users should make sure that their Snapchat log-in information is different from what they use for Facebook, their email or their bank because "Snapchat isn't taking security seriously," he said.

For users who were affected by the Snapchat hack, Zaichkowsky said they should simply reset their passwords.

Enderle, the tech analyst, said the Snapchat breach should serve as a "warning shot" to the company.

"When one person gets through and gets the notoriety for penetrating this kind of company, the pot looks all the sweeter," he said. "This won't be the last time they're hit, and the next time could be far more dramatic."